Access Control for BPMN — Implementation, Constraints, and Resilience ALEPH ST
ID: p-2024-01-aleph-1
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
Workflows represent a series of activities that need to be executed in a specific order to achieve a certain goal. Business Process Model and Notation (BPMN) is the standard most widely adopted by organizations to model business processes as workflows. Within this context, the FBK's Center for Cybersecurity developed a methodology for deriving role-based access control policies from BPMN workflows automatically based on their syntax and that of BPMN symbols [1, 2]. The main goal of this project revolves around the implementation of the aforementioned methodology in a programming language of choice (e.g., Python, Kotlin, Rust). The project then seeks to enhance the capabilities of the aforementioned methodology to include the specification of constraints such as (dynamic and static) separation of duty. Finally — according to the time available — the project aims to investigate the relationship between the access control policies derived from BPMN workflows and the concepts of policy resiliency, workflow satisfiability, and policy change impact analysis.
Levels: BSc, MSc
Supervisors: Stefano Berlato (sberlato@fbk.eu), Roberto Carbone (carbone@fbk.eu), Alessandro Tomasi (altomasi@fbk.eu)
Prerequisites:
- Basic knowledge of IT security.
- Basic knowledge of object-oriented programming languages (i.e., Kotlin).
- Knowledge of access control models and BPMN (although not required) would be advantageous.
Objectives:
- Familiarization and study of the context (i.e., BPMN workflows, RBAC) and the methodology proposed by the FBK's Center for Cybersecurity.
- Enhancement of the aforementioned methodology to support the specification of further constraints.
- Implementation of the methodology and (optional) investigation of the concepts of policy resiliency, workflow satisfiability, and policy change impact analysis.
Topics: Access Control, Workflows, BPMN
Notes: The objectives may be weighted differently according to interest, availability, and the chosen topic.
References:
Automated Privacy Posture Assessment of OpenID Connect Solutions ST
ID: p-2024-01-st-2
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
OpenID Connect (OIDC) has shown to need a set of privacy best current practices (BCPs), since only a handful of guidelines can be found in this regard. In 2023, we provided a set of BCPs to fill that gap (Sassetti et al.), as well as an assessment of the privacy posture of several OIDC Providers (OPs). The results have shown that only a few OPs provide high baseline privacy, whereas many others implement only bare minimum requirements. Though, one of the issues of the analysis was the lack of automation, thus impacting its scale.
As a new line of work, we plan on automating the assessment of the privacy posture of OPs and extending it to web applications that are integrating the solutions of identified OPs. This can be done either by using pentesting tools, i.e., Micro-Id-Gym (MIG) (Bisegna et al.), or with autonomously developed scripts; a third hybrid approach can be considered.
Level: MSc
Supervisors: Gianluca Sassetti (gsassetti@fbk.eu), Amir Sharif (asharif@fbk.eu), Roberto Carbone (carbone@fbk.eu)
Prerequisites:
- Basic understanding of cybersecurity principles.
- Knowledge of the OpenID Connect protocol is a plus (soft-requirement).
- Strong analytical and problem-solving skills.
Objectives: The main objectives of this internship project are as follows:
- Extend the analysis of OPs by designing a way to automate the testing of OPs (MIG or script) and confirming the previous results;
- Extend the analysis to a larger number of OPs, given the fact that the analysis is now automated;
- Extend the analysis of the privacy posture to web applications and test a large number of web applications.
Topics: OAuth/OIDC, Privacy, API Testing, GDPR
Automated Vulnerability Detection for Mobile TLS Deployments ST
ID: p-2024-01-st-3
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
TLSAssistant v2 is the latest version of our state-of-the-art analysis tool [1], a modular framework able to perform a wide set of checks and easily extensible with new features. Its main focus is to streamline the mitigation process of known and newly discovered TLS attacks, even for non-expert users, and it has recently gained the ability to assess security compliance against EU and US regulations.
The primary objective of this internship is to enhance its analysis capabilities by implementing a novel module able to perform static security assessments of Android and iOS applications. The module will be based on the powerful SEBASTiAn [2] open-source tool, developed by a spin-off company of the University of Genova. Working with a state-of-the-art tool and newly discovered vulnerabilities, the candidate will need determination and a willingness to overcome the challenges he or she is likely to face.
Levels: BSc, MSc
Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Matteo Rizzi (mrizzi@fbk.eu)
Time frame: Available starting from January 2024
Prerequisites:
- Experience with Python 3 development
- Basic knowledge of the TLS protocol
- Problem-solving
Topics: Research tool, Android vulnerability detection, Actionable mitigations, TLS misconfiguration
Notes: Multiple positions available.
References:
Automatic Security Testing Tool for Identity Management Protocols CLEANSE ST
ID: p-2024-01-st-1
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
Identity Management (IdM) protocols are the protocols supporting Single-Sign On (SSO) which is an authentication schema allowing the user to access different services using the same set of credentials. Two of the most known IdM protocols are SAML 2.0 SSO and OAuth 2.0/OpenID Connect. Several solutions for corporations like Google, Meta (Facebook) and for Public Administration like eIDAS and SPID are based on IdM protocols. We propose improving the tool to extend its capabilities by designing and implementing new features.
Levels: BSc, MSc
Supervisors: Andrea Bisegna (a.bisegna@fbk.eu), Roberto Carbone (carbone@fbk.eu)
Prerequisites: Preferably basic knowledge of Java.
Objectives:
- Literature Review (guidelines and best practices)
- Ethical analysis
- Risk Assessment
Topics: Identity Management protocols, Attack patterns, Penetration testing
Notes: Multiple positions available.
Automatic Security Testing Tool for Identity Management Protocols CLEANSE ST
ID: p-2024-st-8
Published on: Friday, 18 October 2024
Deadline for Applications: Monday, 18 November 2024 at 23:59
Description:
Identity Management (IdM) protocols are the protocols supporting Single-Sign On (SSO) which is an authentication schema allowing the user to access different services using the same set of credentials. Two of the most known IdM protocols are SAML 2.0 SSO and OAuth 2.0/OpenID Connect. Several solutions for corporations like Google, Meta (Facebook) and for Public Administration like eIDAS and SPID are based on IdM protocols. We propose improving the tool to extend its capabilities by designing and implementing new features.
Levels: BSc, MSc
Supervisors: Andrea Bisegna (a.bisegna@fbk.eu), Roberto Carbone (carbone@fbk.eu)
Prerequisites: Preferably basic knowledge of Java.
Objectives:
- Literature Review (guidelines and best practices)
- Ethical analysis
- Risk Assessment
Topics: Identity Management protocols, Attack patterns, Penetration testing
Notes: Multiple positions available.
BAS tools - Analysis of state-of-the-art techniques and their impact CLEANSE ST
ID: p-2024-01-st-4
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
A Breach and Attack Simulation (BAS) tool is a cybersecurity solution designed to assess and improve the security posture of an organization's IT infrastructure. BAS tools simulate TTP (Tactics, Techniques, and Procedures) of advanced real-world cyberattacks and security breaches in a controlled environment to evaluate the effectiveness of an organization's security defenses. The primary goal of a BAS is to identify vulnerabilities, misconfigurations, and weaknesses in security controls before real attackers can exploit them.
The primary objective of this internship is to perform a literature review on the state-of-the-art, comparing the capabilities of existing tools, their features, and how they can be replicated.
Level: BSc
Supervisors: Matteo Rizzi (mrizzi@fbk.eu), Salvatore Manfredi (smanfredi@fbk.eu), Pietro De Matteis (pdematteis@fbk.eu)
Prerequisites:
- Knowledge of common attacks (e.g. phishing, sniffing), the more the better
- Knowledge of virtualization techniques
- Problem-solving
- Researching topics with a critical eye
Objectives:
- Perform a literature review on the state-of-the-art in terms of tools and techniques, listing their features, applicability and scope
- Analyze and propose scenarios and use cases, along with their limitations, impact and feasibility
Topics: Research tool, Security posture, Attack patterns
Notes: Only available as an Internship+thesis pair
References:
BAS tools - Implementation of an attack pattern to mimic a threat actor CLEANSE ST
ID: p-2024-01-st-5
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
A Breach and Attack Simulation (BAS) tool is a cybersecurity solution designed to assess and improve the security posture of an organization's IT infrastructure. BAS tools simulate TTP (Tactics, Techniques, and Procedures) of advanced real-world cyberattacks and security breaches in a controlled environment to evaluate the effectiveness of an organization's security defenses. The primary goal of a BAS is to identify vulnerabilities, misconfigurations, and weaknesses in security controls before real attackers can exploit them.
Focusing on the future replicability of the task performed, the principal aim of this internship is to implement a proposed use-case utilizing a fully functional open-source BAS/Adversary Emulation tool. By the end of the internship, the intern should have developed a thorough comprehension of the present state of threats and will have successfully simulated a highly consequential one, ultimately offering mitigation strategies. It would be ideal if the intern devised a method for constructing payloads that simulate advanced cyberattacks with ease, thereby establishing a modular and replicable approach.
Levels: BSc, MSc
Supervisors: Matteo Rizzi (mrizzi@fbk.eu), Salvatore Manfredi (smanfredi@fbk.eu), Pietro De Matteis (pdematteis@fbk.eu)
Time frame: Only available as an Internship+thesis pair
Prerequisites:
- Being able to work with YAML files
- Experience with a programming language at your choice (better if Python or rustlang)
- Knowledge of common attacks (e.g. phishing, sniffing), the more the better
- Knowledge of virtualization techniques
- Problem-solving
Objectives:
- Implement a proposed use-case utilizing a fully functional open-source Breach and Attack Simulation (BAS) or Adversary Emulation tool.
- Gain a comprehensive understanding of the current threat landscape and the most significant threats organizations face.
- Ensure the work is well-documented and the attack simulations are replicable.
- Identify vulnerabilities, gaps in security controls, and other weaknesses revealed by the attack simulations. Provide actionable recommendations for improving defenses against the simulated threat.
Topics: Research tool, Security posture, Attack patterns
References:
Course Development with the European Cybercrime Training and Education Group ALEPH
ID: p-2024-aleph-8
Published on: Friday, 11 October 2024
Deadline for Applications: Monday, 4 November 2024 at 23:59
Description:
The Center for Cybersecurity (CS) of FBK has recently become a partner of the European Cybercrime Training and Education Group (ECTEG). In detail, CS joined an initiative [1] aiming to develop a course on blockchain technology to train and educate law enforcement agents and Judicial authorities fighting criminal activities that exploit blockchain-related resources, such as cryptocurrencies. In this context, the main goal of this project is to assist in the development of the course materials by, for instance, designing and testing serious games and capture-the-flag simulations. While allowing to investigate and explore cutting-edge and relevant topics in an European context, it is important to note that this project mainly focuses on didactics and pedagogy.
Type: Internship + Thesis
Levels: BSc, MSc
Supervisors: Stefano Berlato (sberlato@fbk.eu), Riccardo Longo (rlongo@fbk.eu)
Time frame: We would like the applicant to start as soon as possible with the internship; the period for the thesis is then negotiateable.
Prerequisites:
- Basic understanding of cybersecurity principles.
- Basic knowledge of cryptography and blockchain technology from cryptography-related courses.
- Basic knowledge or experience in the use of cryptocurrencies and development of serious games and capture-the-flag simulations would be advantageous.
Objectives:
- Familiarization and study of the context (e.g., blockchain, cryptocurrencies).
- Design and testing of serious games and capture-the-flag simulations.
Topics: Blockchain, Didactics and pedagogy, Serious games, Capture-the-flag simulations
Notes: Doing both internship and thesis is recommended but not required (i.e., only internship may be acceptable).
References:
- [1] ECTEG Blockchain Project • Link
Creating a testing enviroment in Kubernetes Orchestration with KWOK RiSING
ID: p-2024-01-rising-1
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
Kubernetes Without Kubelet (KWOK) [1][2] is an experimental tool that is able to simulate large Kubernetes clusters with a very limited footprint on the system. While setting up regular Kubernetes clusters --- even for testing and educational purposes --- requires time, resources and even an innocent mistake may require a full redeployment, KWOK allows the provisioning of multiple clusters, each with hundreds of nodes, with no overhead and full compatibility with all the Kubernetes ecosystem. Workloads that are deployed will be transparently simulated on the system, reflecting any configuration provided by users (redundancy, quotas, labels) and reacting accordingly, just like a real cluster.
The objective of this internship project is twofold. First, candidates will get acquainted with container orchestration and how to the Kubernetes works, the interactions between all the modules, and the configuratgions needed to run custom schedulers, CRDs, proxies and tools. Second, the candidate will learn more about CRDs and custom projects using K8s, testing in the KWOK a custom scheduler.
Level: BSc
Supervisor: Luis Augusto Dias Knob (l.diasknob@fbk.eu)
Prerequisites:
- Knowledge of computer networking
- Basic Knowledge with Kubernetes
Topics: Kubernetes, Cloud orchestration
References:
Cryptographic Access Control for Blockchain-based Applications ALEPH ST
ID: p-2024-01-aleph-2
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
Given the limited trust and inherently centralized nature of Cloud-based applications, the blockchain emerges as the ideal solution to guarantee the integrity and the confidentiality of sensitive data in cross-organizational scenarios. However, the basic security properties offered by the blockchain should be coupled with fine-grained access control policies (e.g., role- and attribute-based access control) enforced through cryptography (e.g., hybrid cryptography, multi-authority attribute-based encryption) for best security. The main goal of this project is to investigate how cryptographic access control is and can be used in blockchain-based applications to enforce access control policies in complex cross-organizational scenarios.
Levels: BSc, MSc
Supervisors: Stefano Berlato (sberlato@fbk.eu), Roberto Carbone (carbone@fbk.eu), Riccardo Longo (rlongo@fbk.eu)
Prerequisites:
- Basic knowledge of IT security.
- Basic knowledge of cryptography from cryptography-related courses.
- Basic knowledge of object-oriented programming languages (i.e., Kotlin).
Objectives:
- Familiarization and study of the state of the art in the use of the Blockchain for advanced data protection.
- Evaluation of available techniques and design of a solution joining cryptographic access control with the Blockchain for high assurance of data integrity and confidentiality.
- Implementation of the proposed approach in a tool developed and actively maintained by the FBK's Center for Cybersecurity [1].
Topics: Access Control, Cryptography, Blockchain
References:
- [1] CryptoAC • Link
Cryptographic Access Control for Cloud Native Applications ALEPH ST
ID: p-2024-aleph-9
Published on: Friday, 11 October 2024
Deadline for Applications: Monday, 4 November 2024 at 23:59
Description:
"The characteristics of cloud native applications — like the inherent decentralization, the intricate threat model, and the presence of highly dynamic and interconnected microservices — bring forth a number of challenges to data security. In a recently published article [1], the Center for Cybersecurity (CS) of FBK has investigated the use of CryptoAC [2] to provide end-to-end protection of sensitive data in cloud native applications through cryptographic enforcement of access control policies. CryptoAC (short for Cryptographic Access Control) is an open-source tool written in the (multiplatform) Kotlin language, and potentially available as programming library, plugin, or microservice (Docker container). In this context, applicants may choose one of the following 2 activities: collaborate on extending the work in [1] by refining and evaluting the use of CryptoAC for data security in cloud native applications or extend the capabilities of CryptoAC in one or more of the following areas: user authentication with OpenID Connect and FIDO, integration of CryptoAC with Trusted Execution Environments (TEEs), cryptographic key management, strategies and tools for cryptographic bill of materials management. This project provides the opportunity to acquire the fundamentals of scientific research, investigate and explore cutting-edge and relevant research topics, and engage in software engineering and development while allowing applicants to design, propose, and implement their own ideas."
Type: Internship + Thesis
Levels: BSc, MSc
Supervisors: Stefano Berlato (sberlato@fbk.eu), Roberto Carbone (carbone@fbk.eu)
Time frame: We would like the applicant to start as soon as possible with the internship; the period for the thesis is then negotiateable.
Prerequisites:
- Basic understanding of cybersecurity principles.
- Basic knowledge of cryptography from cryptography-related courses.
- Basic knowledge of object-oriented programming languages (i.e., Kotlin).
- Knowledge of containers technologies (i.e., Docker) may be advantageous.
Objectives:
- Familiarization and study of the context (i.e., cryptographic access control, cloud native applications).
- Investigation of possible extensions to the solution proposed in [1] and CryptoAC.
- Implementation and evaluation of the chosen extensions.
Topics: Access Control, Applied Cryptography, Cloud Native Applications, Software Development
Notes: Doing both internship and thesis is recommended but not required (i.e., only internship may be acceptable).
References:
Cryptographic Revocation ALEPH
ID: p-2024-01-aleph-3
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
There is a strong interest in privacy-enhancing technologies to satisfy the complex requirements of digital identity, in particular minimizing the personal data shared at each presentation and preventing others from correlating the activity of digital identity credential holders between presentations. Important use cases are the Mobile Driver's License (ISO 18013-5) and the European Digital Identity Wallet.
Cryptographic accumulators, e.g., [BdM93, N05, LLX07, BBF18, VB20] are efficient protocols to prove set (non-)membership that have been proposed as privacy-enhancing credential revocation mechanisms for digital credentials, e.g., [CL02].
During the internship, you will have an opportunity to consider theoretical and practical aspects of these technologies, to be agreed upon based on your interest and prior knowledge. We are particularly interested in a performance comparison of algorithms of interest, possibly using existing libraries (e.g., accumulator-rs).
Level: MSc
Supervisor: Alessandro Tomasi (altomasi@fbk.eu)
Prerequisites:
- An undergraduate course in cryptography is required for basic notions.
- Knowledge of one or more of the following would be highly advantageous: RSA, elliptic curve cryptography, zero-knowledge proofs, programming in Python or Rust.
- Knowledge of programming languages (i.e., Python, Rust) would be highly advantageous.
Objectives:
- Summary of chosen technologies.
- Comparison of technologies on metrics of interest for the chosen scenario, e.g., complexity (number of operations), proof size, and offline functionality.
- Exploration of alternatives for cryptographic agility, e.g., other elliptic curves or hash functions.
Topics: Digital Identity, Cryptography, Privacy Enhancing Technologies
Notes: The objectives may be weighted differently according to interest, availability, and the chosen topic.
References:
- [BBF18] "Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains". D Boneh, B Bünz, B Fisch. IACR 2018, CRYPTO 2019. • DOI, Video
- [BdM93] "One-way accumulators: a decentralized alternative to digital signatures." J C Benaloh, M de Mare, Eurocrypt 93. • DOI
- [CL02] "Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials." J Camenisch, A Lysyanskaya, CRYPTO 2002. • DOI
- [LLX07] "Universal Accumulators with Efficient Nonmembership Proofs". Li, J., Li, N., Xue, R., 2007. • DOI
- [N05] "Accumulators from Bilinear Pairings and Applications." L Nguyen, CT-RSA 2005. • DOI
- [VB20] "Dynamic Universal Accumulator with Batch Update over Bilinear Groups". G. Vitto, A. Biryukov, IACR 2020, CT-RSA 2022. • DOI, Video
- [CHAHC22] "Curve Trees: Practical and Transparent Zero-Knowledge Accumulators." M Campanelli, M Hall-Andersen, S Holmgaard Kamp. • Link
DevSecOps for Cloud Native Applications CLEANSE
ID: p-2024-01-cil-1
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
"The purpose and intent of DevSecOps is to build on the mindset that everyone is responsible for security with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required," describes Shannon Lietz, co-author of the "DevSecOps Manifesto."
DevSecOps (development, security, and operations) is an approach to automate the integration of cybersecurity processes at every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery. It represents a natural and necessary evolution in the way development organizations approach security.
For Cloud Native Applications, security regards multiple levels (code, container, deployment, orchestrator, etc.) and the approach to introduce security should consider all of them.
Levels: BSc, MSc
Supervisor: Pietro De Matteis (pdematteis@fbk.eu)
Prerequisites:
- Knowledge base of Software Development Life Cycle (optional).
- Basic Knowledge with Kubernetes, DevOps or DevSecOps tools (optional).
Objectives: The main target is related cloud native application development life cicle, based on micriservices and distribuited deployment (for example Docker and Kubernetes).
Additional:
- analyze scenarios and use cases
- evaluate guidelines, best practices and tools
- analyze SAST, DAST and SCA tools to use in a CI/CD pipeline
Topics: Cloud Native Applications, Secure coding, Software Development Life Cycle (SDLC), DevSecOps, Container and orchestrator
Notes: Multiple positions available.
Digital Identity Wallet Solution Threat Analysis and Compliance Review ST
ID: p-2024-st-7
Published on: Friday, 11 October 2024
Deadline for Applications: Monday, 11 November 2024 at 23:59 Monday, 25 November 2024 at 23:59 (extended)
Description:
In an increasingly digital world, the security of personal and sensitive information is paramount. Digital identity wallets have emerged as a convenient and secure solution for individuals to manage and control their personal identity data, enabling seamless interactions across various online services. However, ensuring the robust security of these wallets is of utmost importance to prevent potential breaches and unauthorized access. This internship project focuses on:
- Extending a set of already identified threats using well-known threat modeling frameworks (e.g., OWASP and STRIDE).
- Performing a security analysis on the available open-source Wallet Solutions in the wild to check their implementation against the set of identified threats using both manual (static source code analysis) and automatic tools.
Type: Internship + Thesis
Levels: BSc, MSc
Supervisors: Amir Sharif (asharif@fbk.eu), Giada Sciarretta (g.sciarretta@fbk.eu)
Time frame: We would like the applicant to start as soon as possible with the internship; the period for the thesis is then negotiateable.
Prerequisites:
- Basic understanding of cybersecurity principles.
- Pre-knowledge of the OpenID Connect protocol is a plus.
- Strong analytical and problem-solving skills.
- Knowledge of STRIDE framework and OWASP threat modeling procedures (prior experience is a plus).
- Pre-knowledge of Android OS and Android application development is a plus.
- Ability to review code for security vulnerabilities, understanding how certain coding practices might introduce security risks.
Objectives:
- To extend the current threat analysis for a digital identity wallet system considering the newly introduced sources by the European Commission and/or in state of the art by utilizing the STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) framework and the OWASP (Open Web Application Security Project) threat modeling procedures. Therefore at the end of this phase, you will provide a more complete list that is updated with the latest literature.
- Performing a security analysis on the available open-source Wallet Solutions in the wild to check their implementation against the set of identified threats. This provides us with a general overview of adopting potential mitigations, identifies the missing ones and additionally provides an overview of their solution compliance with the eIDAS 2.0 regulations.
Topics: Digital Identity Wallet, Threat Modeling, Security Analysis, Static code analysis, Dynamic code analysis, Compliance
Enforcing policy based control for cloud native applications CLEANSE RiSING
ID: p-2024-01-cil-2
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
Created as an extension of the DevOps methodology, DevSecOps adds security constraints to the cloud-native applications deployment and lifecycle maintenance [1]. By fostering teamwork and automating checks, it speeds up delivery while keeping software safer, ensuring the use of security best practices in each part of the software development.
Level: BSc
Supervisors: Pietro De Matteis (pdematteis@fbk.eu), Luis Augusto Dias Knob (l.diasknob@fbk.eu)
Prerequisites:
- Knowledge of Computer Networking and Cloud Computing.
- Basic Knowledge with Kubernetes, DevOps or DevSecOps tools.
Objectives: In this project, we are interested in exploring the validation and assurance of a set of security constraints in the container lifecycle, since its container image creation through the execution phase using a policy-based control framework, e.g. OPA[2]. We also want to implement an automated system trigger if some of the constraints fails, recreating the container image or reconfiguring it, if necessary.
Topics: Cloud Computing, Security Policy-based Controls, DevSecOps
Notes: Multiple positions available.
References:
- [1] Myrbakken, H., & Colomo-Palacios, R. (2017). DevSecOps: a multivocal literature review. In Software Process Improvement and Capability Determination: 17th International Conference, SPICE 2017, Palma de Mallorca, Spain, October 4–5, 2017, Proceedings (pp. 17-29). Springer International Publishing.
- [2] https://www.openpolicyagent.org/ • Link
Key Recovery ALEPH
ID: p-2024-01-aleph-4
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
Safeguarding private keys presents many issues, especially for the general public. Private keys can be easily lost or forgotten, leading to the inaccessibility of the assets which they control. On the other hand, delegating full control of the keys to a third party for safekeeping is risky and may not be viable. We would like to implement and test a recently proposed cryptographic key recovery scheme [BLM22] based on a distributed secret sharing that allows some parties to be offline during the key-generation process.
Level: MSc
Supervisors: Riccardo Longo (rlongo@fbk.eu), Alessandro Tomasi (altomasi@fbk.eu)
Prerequisites:
- Knowledge of secret sharing and Elliptic Curve Cryptography.
- Programming experience in Rust, C, Python, or equivalent.
- Knowledge of Pedersen commitment is not required but would be beneficial.
Objectives:
- Development of a cryptographic proof of concept software.
- Performance evaluation and comparison.
Topics: Secret Sharing, Decentralization
References:
Machine Learning Insights into Cryptographic Unlinkability for Digital Identity Protection ALEPH
ID: p-2024-01-aleph-5
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
Studying unlinkability in the world of digital identity holds significant importance. It helps create strong and privacy-preserving digital identity systems, allowing people to protect their privacy, by preventing others from linking their actions and building profiles. A good example use case of this study is the European Digital Identity Wallet, which stores information such as IDs and mobile driving licenses.
Cryptographic techniques such as selective disclosure and zero-knowledge mechanisms [1,2,3] can ensure that digital identity systems provide only the necessary information, contributing to unlikability of identity credentials and user privacy in regards. However, it's imperative to question the reliability of these techniques.
Machine learning, with its proficiency in pattern recognition and data analysis, is a powerful tool in this context. It possesses the capability to uncover hidden links and vulnerabilities within identity systems, enabling the detection and mitigation of re-identification and profiling [4]. During your internship, you'll get a chance to explore both the theory and practical aspects of these techniques, based on your interests and prior knowledge. Our primary focus will be on investigating the key factors that contribute to the unlinkability of identity credentials, with a special emphasis on the implementation of unlinkability techniques, particularly in the context of identity creation and presentation within relevant use cases. We'll also use machine learning to see how any of these key factors can make it easier or harder to stay anonymous.
Level: MSc
Supervisors: Alessandro Tomasi (altomasi@fbk.eu), Zahra Ebadi Ansaroudi (zebadiansaroudi@fbk.eu)
Prerequisites:
- An undergraduate course in cryptography is required for basic notions.
- Having expertise in the following areas would provide a significant advantage: An understanding of selective disclosure and zero-knowledge proofs; Knowledge of machine learning, covering algorithms, frameworks (e.g., https://scikit-learn.org/), data preprocessing, model evaluation, and deployment; Proficiency in programming languages, specifically Python or R.
Objectives:
- State-of-the-art study on available cryptographic unlinkability techniques,
- Comparison of the unlinkability techniques on metrics of interest for the chosen unlikability scenarios and case studies. This could be employing machine-learning-based analysis and proving whether the unlinkability is violated for chosen case studies or not.
Topics: Digital Identity (Verifiable Credentials), Cryptography and Privacy Enhancing Technologies, Machine Learning
Notes: The objectives can be tailored according to the intern's interests and the focus of the project.
References:
- [1] Alpár, G., Jacobs, B.: Credential design in attribute-based identity management (2013).
- [2] Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Advances in Cryptology—EUROCRYPT 2001: International Conference on the Theory and Application of Cryptographic Techniques Innsbruck, Austria, May 6–10, 2001 Proceedings 20. pp. 93–118. Springer (2001).
- [3] Ringers, S., Verheul, E., Hoepman, J.H.: An efficient self-blindable attribute-based credential scheme. In: Financial Cryptography and Data Security: 21st International Conference, FC 2017, Sliema, Malta, April 3-7, 2017, Revised Selected Papers 21. pp. 3–20. Springer (2017).
- [4] Van Otterlo, M.: A machine learning view on profiling. Privacy, Due Process and the Computational Turn-Philosophers of Law Meet Philosophers of Technology. Abingdon: Routledge pp. 41–64 (2013).
Revocation Scalability ALEPH RiSING
ID: p-2024-01-aleph-6
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
Revocation of X.509 certificates on the web is commonly addressed by Certificate Revocation Lists [CRL] and Online Certificate Status Protocol [OCSP]. The most common scenario is one in which the certificate Holder is a web server, the certificate Verifier is a desktop-run web browser, and the revocation Responder is also a web server. Scalability of this model to large numbers of Verifiers may be handled by content delivery networks.
New scenarios of interest are emerging, including the Mobile Driving License [ISO18013-5], in which both Holder and Verifier may be edge devices, either or both of which may be offline for significant periods of time, and both have fewer resources than the web-based client-server scenario. New mechanisms are also being considered, e.g. [JCSL], as well as cryptographic revocation. It is not obvious in all possible scenarios what the best balance would be between frequency of revocation status requests, frequency of issuance (signature) of attestations and revocation information, and bandwidth consumed, given the different options available for implementing technologies, while at the same time guaranteeing the greatest degree of security and privacy for all participants.
During the internship, you will have an opportunity to consider theoretical and practical aspects of these technologies, to be agreed based on your interest and prior knowledge.
Levels: BSc, MSc
Supervisors: Alessandro Tomasi (altomasi@fbk.eu), Domenico Siracusa
Prerequisites:
- Basic knowledge of PKI would be beneficial.
- Knowledge of the following would be advantageous: Public Key Infrastructure (PKI), CRL and OCSP.
Objectives:
- Summary of technologies under consideration
- Comparison of technologies on metrics of interest for the chosen scenario - a mobile wallet and edge device reader
- Implementation and performance evaluation of a Proof of Concept
- Exploration of alternatives for cryptographic agility, e.g., other elliptic curves or hash functions
Topics: Digital Identity, Revocation
Notes: The objectives may be weighted differently according to interest, availability, and the chosen topic.
References:
- [CRL] "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile". RFC 5280. • Link
- [ISO18013-5] ISO/IEC 18013-5, Personal identification — ISO-compliant driving licence — Part 5: Mobile driving licence (mDL) application, First edition, 2021-09.
- [JCSL] "WT and CWT Status List". T, Looker et al., 10 July 2023. • Link
- [OCSP] "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP". RFC 6960. • Link
Robustness of Intrusion Detection Systems against Adversarial Machine Learning attacks RiSING
ID: p-2024-01-rising-2
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
A Network Intrusion Detection System (NIDS) serves as the initial line of defence against network attacks that threaten the integrity of data, systems, and networks. Over recent years, Deep Neural Networks (DNNs) have been increasingly used in NIDSs to detect malicious traffic due to their remarkable accuracy in identifying malicious network activity. Nonetheless, DNNs exhibit susceptibility to Adversarial Machine Learning (AML) attacks, where subtle alterations to input data can lead to misclassification by the neural network. This vulnerability has particularly severe consequences, as adversarial attacks pose a substantial threat to overall network security. While the majority of current research in the field of AML has been directed towards computer vision tasks like image classification and object recognition, there has been a notable increase in interest and activity within the cybersecurity domain. Nevertheless, several challenges persist in this domain, encompassing both performance-related issues and the practicality of applying these methods to real-world scenarios. The primary objective of this project is to explore innovative and practical methodologies aimed at enhancing the resilience of NIDSs against AML attacks.
Level: MSc
Supervisor: Roberto Doriguzzi Corin (rdoriguzzi@fbk.eu)
Prerequisites:
- Basic knowledge of network security
- Basic knowledge of computer networking
- Basic knowledge of the Python programming language and Deep Learning libraries
Objectives:
- Familiarization and study of the state-of-the-art related to AML attacks and defenses
- Evaluation of available AML techniques against state-of-the-art DL-based NIDS to spot limitations in the existing solutions
- Design and implementation of a novel solution
Topics: Network security, Deep learning, Adversarial Machine Learning
References:
- [1] He, Ke, Dan Dongseong Kim, and Muhammad Rizwan Asghar. "Adversarial machine learning for network intrusion detection systems: a comprehensive survey." IEEE Communications Surveys & Tutorials (2023).
- [2] Alhajjar, Elie, Paul Maxwell, and Nathaniel Bastian. "Adversarial machine learning in network intrusion detection systems." Expert Systems with Applications 186 (2021): 115782.
- [3] Jmila, Houda, and Mohamed Ibn Khedher. "Adversarial machine learning for network intrusion detection: A comparative study." Computer Networks 214 (2022): 109073.
Rust E-voting Cryptographic Library ALEPH
ID: p-2024-01-aleph-7
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
Electronic voting (e-voting) includes processes in whole or in part executed by electronic means, such as by using voting machines to cast ballots, using scanners to digitize paper ballots, or casting votes remotely over the internet (i-voting).
Cryptography is at the heart of end-to-end verifiable protocols, including additively homomorphic encryption to tally votes without decrypting each one, secure multi-party computation to avoid a single authority from having all private keys, and zero-knowledge proofs to prove ballot correctness, among other properties.
During a recent e-voting project, we developed a library for cryptographic functions in Python based on the MIRACL core library and the protocol summarized in [LMST22]. The successful applicant will have the opportunity to assist in performing the same task in the more secure and performant Rust language.
Level: MSc
Supervisors: Riccardo Longo (rlongo@fbk.eu), Alessandro Tomasi (altomasi@fbk.eu)
Prerequisites:
- Knowledge of ElGamal, secret sharing, and Elliptic Curve Cryptography.
- Programming experience in Rust, C, Python, or equivalent.
Objectives:
- Development of a cryptographic library.
- Performance evaluation and comparison.
Topics: Electronic voting, Zero-knowledge, Secure multi-party cryptography
References:
- [1] Aleph: e-voting • Link
- [2] The MIRACL Core Cryptographic Library • Link
- [LMST22] Riccardo Longo, Umberto Morelli, Chiara Spadafora, Alessandro Tomasi. Adaptation of an i-voting scheme to Italian Elections for Citizens Abroad. In: Seventh International Joint Conference on Electronic Voting (E-Vote-ID 2022). • DOI
Threat Modeling for Digital Identity Wallet ST
ID: p-2024-01-st-6
Published on: Tuesday, 16 January 2024
Deadline for Applications: Wednesday, 31 January 2024 at 23:59
Description:
In an increasingly digital world, the security of personal and sensitive information is paramount. Digital identity wallets have emerged as a convenient and secure solution for individuals to manage and control their personal identity data, enabling seamless interactions across various online services. However, ensuring the robust security of these wallets is of utmost importance to prevent potential breaches and unauthorized access. This internship project focuses on:
- applying threat modeling procedures (e.g., OWASP and STRIDE) to enhance the security posture of a digital identity wallet system;
- Performing a security analysis on the available Wallet Solutions in the wild to check their implementation against the set of identified threats using both manual (static source code analysis) and automatic tools.
Level: MSc
Supervisors: Amir Sharif (asharif@fbk.eu), Giada Sciarretta (g.sciarretta@fbk.eu)
Prerequisites:
- Basic understanding of cybersecurity principles.
- Pre-knowledge of the OpenID Connect protocol is a plus.
- Strong analytical and problem-solving skills.
- Knowledge of OWASP threat modeling procedures (prior experience is a plus).
- Pre-knowledge of Android OS and Android application development is a plus.
- Ability to review code for security vulnerabilities, understanding how certain coding practices might introduce security risks
Objectives:
- To extend the threat analysis for a digital identity wallet system considering the underlying technologies (Blockchain-based and OpenID-based) and by utilizing d the OWASP (Open Web Application Security Project) threat modeling procedures. Therefore at the end of this phase, we identify potential vulnerabilities, assess associated risks, and propose effective mitigation strategies.
- Performing a security analysis on the available Wallet Solutions in the wild to check their implementation against the set of identified threats. This provides us with a general overview of the adoption of potential mitigations and identifies the missing ones.
Topics: Identity Management, Digital Identity Wallet, Threat Modelling